CN106663017B - Method, terminal, data routing method and device for realizing host card simulation - Google Patents

Abstract

Embodiments of the present invention provide a method and device for implementing host card emulation. In the present invention, a terminal installs the HCE application in a terminal environment corresponding to the type of the HCE application according to the type of the HCE application. Information execution environment TEE and rich execution environment REE; the terminal parses the first identifier of the HCE application and at least one second identifier included in the HCE application, the first identifier is used to uniquely identify the HCE application in the terminal, and the first identifier is used to uniquely identify the HCE application in the terminal. The second identifier is used to identify the message flow between the card reader device and the HCE application; the terminal registers the routing information of the HCE application into the TEE, and the routing information includes the first identifier, at least one second identifier, and the information installed by the HCE application. terminal environment. By means of the present invention, HCE applications supporting two different security levels of TEE and REE can be implemented on the terminal.

Description

Method, terminal, data routing method and device for realizing host card simulation

technical field

The present invention relates to the field of communication technologies, and in particular, to a method, a terminal, and a data routing method and device for realizing host card simulation.

Background technique

The card emulation (Card Emulation, CE) function refers to simulating a contactless IC Card (Contactless IC Card) by using a terminal that supports a Near Field Communication (Near Field Communication, NFC) function and has a Secure Element (Secure Element, SE). The card emulation application is installed into the security cell of the terminal and runs in the security cell. The security unit generally allows to install multiple card simulation applications, which makes the user carry a terminal equivalent to carrying multiple physical cards, which brings great convenience to the user.

Host card emulation (Host-based Card Emulation or Host Card Emulation, HCE) means that the card emulation application does not need to be installed in the security unit, but is directly installed into the operating system of the terminal like a common application, and runs on the terminal host ( Device Host, or called the device host). HCE is widely used in near field communication (Near Field Communication, NFC).

At present, HCE applications generally run in a rich execution environment (Rich Execution Environment, REE) of a terminal, and communicate with a card reading device such as a POS machine or a card reader through an NFC interface of the terminal. REE is an operating environment with a low level of security, that is, applications from any source can be installed into the REE of the terminal with the permission of the user, and the protection of the data stored in the REE is not enough to resist various malware threats. Therefore, when the HCE application is installed and run in the REE, the security level of its related confidential data such as user accounts is low, and it is easy to be stolen.

However, it is often necessary to use the HCE mechanism to implement some applications with high security performance requirements, such as HCE payment applications issued by banks, etc. If these HCE applications with high security performance requirements are installed into REE, the account data associated with the HCE application It is easy to be stolen by malicious programs. Therefore, the associated data of the HCE program in the REE is in a dangerous state.

SUMMARY OF THE INVENTION

Embodiments of the present invention provide a method, terminal, and data routing method and device for implementing host card simulation, so as to implement HCE functions of different security levels on the terminal.

In a first aspect, a method for implementing a host card to simulate HCE is provided, including:

The terminal installs the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application, wherein the terminal environment includes a trusted execution environment TEE and a rich execution environment REE;

The terminal parses the first identifier of the HCE application and at least one second identifier included in the HCE application, where the first identifier is used to uniquely identify the HCE application in the terminal, and the second identifier Used to identify the message flow between the card reader device and the HCE application;

The terminal registers the routing information of the HCE application in the TEE, where the routing information includes the first identifier, the at least one second identifier, and the terminal environment in which the HCE application is installed.

With reference to the first aspect, in a first implementation manner, the method further includes:

The terminal sends the acquired external data to the routing management module in the TEE;

The route management module sends the external data to the HCE application corresponding to the external data.

In combination with the first implementation manner of the first aspect, in the second implementation manner, the terminal sends the acquired external data to the routing management module in the TEE, specifically including:

The terminal obtains external data through the near field communication controller NFCC in the TEE or the NFCC in the REE;

The external data whose routing target is the device host is sent to the routing management module in the TEE by the NFCC in the TEE or the NFCC in the REE.

With reference to the first implementation manner of the first aspect or the second implementation manner of the first aspect, in a third implementation manner, the routing management module sends the external data to the HCE application corresponding to the external data, Specifically include:

The routing management module obtains the second identifier in the external data;

The routing management module determines, according to the routing information registered in the TEE, the first identification of the external data corresponding to the second identification in the external data, and the HCE application installed corresponding to the first identification of the external data. terminal environment;

The route management module sends the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment.

In combination with the third implementation manner of the first aspect, in a fourth implementation manner, according to the determined terminal environment, sending the external data to the HCE application corresponding to the first identifier of the external data includes:

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

In a second aspect, a data routing method is provided, including:

The terminal sends the acquired external data to the routing management module in the TEE;

The route management module sends the external data to the HCE application corresponding to the external data.

With reference to the second aspect, in the first implementation manner, the terminal sends the acquired external data to the routing management module in the TEE, specifically including:

The terminal obtains the external data through the NFCC driver in the TEE or the NFCC driver in the REE, and sends the external data whose routing target is the device host to the routing management module in the TEE.

With reference to the second aspect or the first implementation manner of the second aspect, in the second implementation manner, the routing management module sends the external data to the HCE application corresponding to the external data, including:

The routing management module acquires the second identifier in the external data, and the second identifier is used to identify the message flow between the card reader device and an HCE application;

Determine, according to the routing information of the HCE application registered in the TEE, the first identifier of external data corresponding to the second identifier in the external data, and the terminal environment in which the HCE application corresponding to the first identifier of external data is installed , the first identifier is used to uniquely identify an HCE application in the terminal;

According to the determined terminal environment, the external data is sent to the HCE application corresponding to the first identifier of the external data.

With reference to the second implementation manner of the second aspect, in a third implementation manner, the external data is sent to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment ,include:

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

In a third aspect, a terminal for realizing HCE simulation by a host card is provided, including:

an installation unit, configured to install the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application, wherein the terminal environment includes a trusted execution environment TEE and a rich execution environment REE;

a parsing unit, configured to parse the first identifier of the HCE application installed by the installation unit and at least one second identifier included in the HCE application, where the first identifier is used to uniquely identify the terminal HCE application, the second identifier is used to identify the message flow between the card reader device and the HCE application;

a registration unit, configured to register the routing information of the HCE application into the TEE, where the routing information includes the first identifier, the at least one second identifier and the HCE application parsed by the parsing unit Installed the terminal environment.

With reference to the third aspect, in a first implementation manner, the terminal further includes a first routing unit and a second routing unit, wherein,

the first routing unit, configured to send the acquired external data to the second routing unit in the TEE;

The second routing unit is configured to send the external data to the HCE application installed by the installation unit corresponding to the external data.

In combination with the first implementation manner of the third aspect, in the second implementation manner, the first routing unit is specifically configured to send the acquired external data to the second routing unit of the TEE type in the following manner:

Obtain external data through the near field communication controller NFCC in TEE or NFCC in REE;

The external data whose routing target is a device host is sent by the NFCC in the TEE or the NFCC in the REE to a second routing unit in the TEE.

With reference to the first implementation manner of the third aspect, or the second implementation manner of the third aspect, in the third implementation manner, the second routing unit is specifically configured to send the external data in the following manner To the HCE application corresponding to the external data:

obtaining the second identifier in the external data;

According to the information registered in the TEE, determine the first identification of external data corresponding to the second identification in the external data, and the terminal environment in which the HCE application corresponding to the first identification of external data is installed;

According to the determined terminal environment, the external data is sent to the HCE application corresponding to the first identifier of the external data.

With reference to the third implementation manner of the third aspect, in a fourth implementation manner, the second routing unit is specifically configured to send the external data to the communication server according to the determined terminal environment in the following manner. The HCE application corresponding to the first identifier of the external data:

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

In a fourth aspect, a data routing device is provided, comprising:

The acquisition unit is used to acquire external data;

a first routing unit, configured to send the external data acquired by the acquiring unit to a second routing unit in the TEE;

The second routing unit is configured to send the external data to the HCE application corresponding to the external data.

With reference to the fourth aspect, in the first implementation manner, the first routing unit is specifically configured to send the acquired external data to the second routing unit in the TEE in the following manner:

The external data is acquired through the NFCC driver in the TEE or the NFCC driver in the REE, and the external data whose routing target is the device host is sent to the second routing unit in the TEE.

In combination with the first implementation manner of the fourth aspect, in the second implementation manner, the second routing unit is specifically configured to send the external data to the HCE application corresponding to the external data in the following manner:

Obtain the second identification in the external data, and the second identification is used to identify the message flow between the card reader device and an HCE application;

Determine, according to the routing information of the HCE application registered in the TEE, the first identifier of external data corresponding to the second identifier in the external data, and the first identifier of the external data corresponding to the first identifier of the external data installed by the HCE application terminal environment, where the first identifier is used to uniquely identify an HCE application in the terminal;

According to the determined terminal environment, the external data is sent to the HCE application corresponding to the first identifier of the external data.

With reference to the second implementation manner of the fourth aspect, in the third implementation manner, the second routing unit is specifically configured to send the external data to the destination according to the determined terminal environment in the following manner. Describe the HCE application corresponding to the first identifier:

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

In a fifth aspect, a terminal for realizing HCE simulation by a host card is provided, including a memory, a peripheral device, a communication unit and a processor, wherein:

Described memory, comprises the public random access memory RAM that runs in rich execution environment REE and public read-only memory ROM, and runs in trusted execution environment TEE trusted RAM and trusted ROM, are used for storing instruction and data;

the peripherals, including the public peripherals in the REE and the trusted peripherals in the TEE;

the communication unit, located in the REE;

The processor is configured to call the instructions and data stored in the public RAM, the public ROM, the trusted RAM and the trusted ROM, and through the trusted peripherals, the public peripherals and the communication unit, Implement the following functions:

Install the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application, wherein the terminal environment includes TEE and REE; parse the first identifier of the HCE application and the HCE At least one second identifier included in the application, the first identifier is used to uniquely identify the HCE application in the terminal, and the second identifier is used to identify the message flow between the card reader device and the HCE application and is used to register the routing information of the HCE application in the TEE, wherein the routing information includes the first identifier, the at least one second identifier, and the terminal environment where the HCE application is installed.

With reference to the fifth aspect, in the first implementation manner, the processor is further configured to:

The acquired external data is sent to the routing management module in the TEE, and the routing management module is controlled to send the external data to the HCE application corresponding to the external data.

In combination with the first implementation manner of the fifth aspect, in the second implementation manner, the processor is specifically configured to send the acquired external data to the routing management module in the TEE in the following manner:

Obtain external data through the near field communication controller NFCC in TEE or NFCC in REE;

The external data whose routing target is a device host is sent by the NFCC in the TEE or the NFCC in the REE to a routing management module in the TEE.

With reference to the first implementation manner or the second implementation manner of the fifth aspect, in a third implementation manner, the processor is specifically configured to control the routing management module to send the external data to the The HCE application corresponding to the external data mentioned above:

Control the routing management module to obtain the second identifier in the external data through the communication unit and the peripheral device, and determine the second identifier in the external data according to the routing information registered in the TEE The corresponding external data first identification and the terminal environment in which the HCE application corresponding to the external data first identification is installed, and control the routing management module to send the external data to the terminal environment according to the determined terminal environment. The HCE application corresponding to the first identifier of the external data.

With reference to the third implementation manner of the fifth aspect, in the fourth implementation manner, the processor is specifically configured to control the routing management module to send the external data according to the determined terminal environment in the following manner To the HCE application corresponding to the first identifier of the external data:

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory. The method, terminal, and data routing method and device for implementing host card simulation provided by the embodiments of the present invention distinguish HCE applications as TA or CA through different application type labels, and then install TA into TEE and CA into REE , HCE applications with two different security levels based on TEE and REE are realized.

Description of drawings

1A to 1B are terminal system architectures to which the host card emulation method provided by an embodiment of the present invention is applied;

FIG. 2 is a flowchart for implementing a host card simulation method provided by an embodiment of the present invention;

Fig. 3 is the implementation flow chart of installing the HCE application to the corresponding environment provided by the embodiment of the present invention;

4 is a flowchart for implementing another host card simulation method provided by an embodiment of the present invention;

5 is a flowchart of sending acquired external data to a routing management module in a TEE provided by an embodiment of the present invention;

6 is a schematic diagram of a routing information storage process provided by an embodiment of the present invention;

7 is a schematic diagram of a process of performing external data routing according to routing information saved by an application according to an embodiment of the present invention;

8 is a schematic diagram of a routing table set up in an embodiment of the present invention;

FIG. 9 is a schematic diagram of a routing process in a TEE provided by an embodiment of the present invention;

10 is a schematic diagram of a process of forwarding external data to a TA provided by an embodiment of the present invention;

11A to 11B are schematic diagrams of a process of forwarding external data to a CA according to an embodiment of the present invention;

12A to 12B are schematic diagrams of the configuration of a terminal for implementing host card emulation according to an embodiment of the present invention;

13 is a schematic diagram of another configuration of a terminal for implementing host card emulation according to an embodiment of the present invention;

FIG. 14 is a schematic structural diagram of a data routing apparatus according to an embodiment of the present invention.

Detailed ways

The technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention.

Trusted Execution Environment (TEE) and REE are two program running environments that coexist in the terminal. TEE and REE can be called terminal environments, each including hardware resources such as memory, processor, and operating system ( Operating System, OS), framework (Framework) and other software. REE does not strictly limit the source of the application, if the user allows, REE can accept software installation from any source. However, TEE is different. The storage in the TEE is a secure storage, which is managed by the TEE issuer (eg, terminal manufacturer or operator) and has certain restricted access conditions; when the terminal receives a request to access the TEE storage, for example To read and write secure storage (installing a program into a TEE is a write secure storage operation), it is necessary to verify whether it complies with the security access rules. Only when the security access rules are met can the corresponding storage content be accessed. Because of the above characteristics of TEE, malicious programs cannot access programs and their data installed in the TEE; programs installed in the TEE environment cannot access data that does not belong to each other across the border, so a higher level of security is achieved.

A Trusted Application (TA) refers to an application running in a TEE that can provide security-related functions for client applications in the REE or other trusted applications in the TEE environment, such as cryptographic services, signature services, and digest services. . Correspondingly, the client application (Client Application, CA) refers to the application running in the REE, which can communicate with a trusted application TA in the TEE through the TEE client application programming interface or the shared memory mechanism and call the services provided by the TA. application.

In order to facilitate software developers (Soft Processor, SP) to select HCEs with different security levels according to their own business requirements, an embodiment of the present invention provides a host card simulation implementation method, so as to realize HCE applications of different security levels on a terminal including a TEE. Installation to meet different security level requirements for different business needs. For example, high-security business requirements such as financial cards and payment card applications that require high security performance can be implemented as TA and installed in TEE; similar to supermarket membership cards, access control cards and other low-security business requirements, Can be implemented as a CA and installed in the REE.

The host card simulation method provided by the embodiment of the present invention installs the HCE application in the corresponding terminal environment according to whether the installed terminal environment is TEE or REE according to HCE application service requirements.

In the embodiment of the present invention, an application type label for identifying the terminal environment in which the HCE application is installed can be defined in the resource file of the HCE application, and the terminal environment to which the HCE application should be installed is TEE or REE through different application type labels, and the HCE application Installed into TEE or REE to implement HCE applications that support two different security levels of TEE and REE on the terminal.

In this embodiment of the present invention, in order to support HCE applications with two different security levels, TEE and REE, on the terminal, that is, installing HCE applications with a high security level into the TEE, and installing HCE applications with a lower security level in the REE, the applicable The terminal system architecture shown in FIG. 1A or FIG. 1B implements the routing function of HCE applications of different security levels in the TEE. In Figure 1A, after the NFC controller (NFC Controller, NFCC) receives the data, it sends it to the upper-layer application through the NFCC driver (NFCC Driver) and the NFCC routing module in the REE operating system kernel. When two different security levels of TEE and REE are supported, When the HCE is applied in the TEE environment, the NFCC driver sends the received data to the trusted NFC service framework (NFC ServiceFramework) in the TEE environment, and is forwarded by the NFC Service Framework in the TEE environment to the Routing Management Module (Routing Management Module, also in the present invention). Denoted as Route-TA), the route management module (Route-TA) in the TEE distributes (ie routes) the data to the TA in the TEE or the CA in the REE. In Figure 1B, after receiving the data, the NFC controller sends the data to the routing management module in the TEE through the trusted NFCC driver in the trusted operating system kernel in the TEE, and the routing management module in the TEE distributes the data to the TEE TA in or CA in REE.

It should be noted that the NFCC in the embodiment of the present invention may also be called a Near Field Communication Controller (NFCC). The NFCC is a logical entity defined by the NFC Forum (NFC Forum). NFCC chip with main NFC functions. In the present invention, the NFCC chip, the NFCC driver and the NFCC routing module are distinguished, and the above three kinds of hardware or software are all part of the NFCC logical entity.

FIG. 2 shows a flowchart of a method for implementing a host card simulation provided by an embodiment of the present invention. As shown in FIG. 2 , the method includes:

S101: The terminal installs the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application.

In the embodiment of the present invention, the terminal environment in which the HCE application is installed includes TEE and REE, and one HCE application corresponds to only one terminal environment, that is, the terminal environment in which the HCE application runs is TEE or REE. It should be noted that, in the embodiment of the present invention, the terminal environment in which the HCE application is installed is referred to as an environment, an installation environment, and of course, may also be referred to as an application running environment, etc., which is not limited in the embodiment of the present invention.

Specifically, in the embodiment of the present invention, the terminal installs the HCE application in the terminal environment corresponding to the type of the HCE application according to the type of the HCE application, and the method flow shown in FIG. 3 may be adopted, including:

S1011: Obtain the resource file of the HCE application.

The HCE application installation package contains the configuration file of the HCE application. The terminal receives the installation package of the HCE application, checks the configuration file in the installation package, and obtains the resources of the HCE application according to the resource file name and path specified in the configuration file. document.

S1012: Determine the terminal environment in which the HCE application is installed according to the application type label in the acquired resource file.

In this embodiment of the present invention, different application type labels are used to distinguish whether the terminal environment in which the HCE application is installed is TEE or REE. In this embodiment of the present invention, the REE host card emulation program (<host-apdu-service/>) tag in the resource file can be used to identify that the HCE application is a CA application, and the environment to be installed is REE; through the TEE host in the resource file The card emulation program (<TEE-apdu-service/>) tag identifies that the HCE application is a TA, and the environment to be installed is TEE. Therefore, if the application type label in the acquired resource file is <host-apdu-service/>, it is determined that the terminal environment in which the HCE application is to be installed is REE, that is, the application is CA. If the application type label in the acquired resource file is <TEE-apdu-service/>, it is determined that the terminal environment in which the HCE application is to be installed is TEE, that is, the application is TA.

S1013: Install the HCE application into the determined terminal environment.

In the embodiment of the present invention, the terminal environment in which the HCE application is installed is REE or TEE. If it is determined that the terminal environment in which the HCE application is installed is TEE, that is, the application is a TA, the TA is installed in the TEE. If it is determined that the HCE application is installed in the TEE If the terminal environment in which the application is installed is REE, that is, the application is a CA, the CA is installed into the REE.

S102: The terminal parses the first identifier of the HCE application and at least one second identifier included in the HCE application.

Each HCE application corresponds to an application identifier (APP ID). Generally speaking, the CA can use the certificate of the application as the application identifier, and the TA can use the Universally Unique Identifier (UUID) as the application identifier. Each HCE application can process several message flows between the card reader and the HCE. The above message flow starts when the card reader sends a SELECT AID command. After the HCE application receives the SELECT AID routed to it by the routing management module, it should APDU command response, after that the card reader sends other data exchange commands, the HCE application needs to respond, until the terminal receives a SELECT AID command again (generally, the AID in this SELECT AID command is the same as the one in the previous SELECT AID command. AID is different), the current message flow ends, and a new message flow starts. The specific HCE application to process the message flow is determined by the routing management module according to the AID in the new SELECTAID command. In a single card swipe transaction using the terminal, the terminal may also receive only one SELECT AID command. The AID in the command is determined by the payment card selected by the user to participate in the transaction. At this time, from the receipt of the SELECT AID command to the end of the transaction, The interaction between the card reader and the terminal can also be considered as a message flow. To sum up, the message flow is identified by the application IDentifier (AID), which is the identification defined by ISO/IEC 7816-5 to identify the card application (APPlet) installed in the smart card, and this identification is also used to identify the HCE The message flow that the application can process is called the card application contained in the HCE application. An HCE application can implement one or more AID processing logics. Each AID processing logic corresponds to a card application or a segment of card reader device and HCE application. message flow between. For the convenience of description in this embodiment of the present invention, an application identifier for identifying an HCE application is referred to as a first identifier, and the first identifier is used to uniquely identify an HCE application. The AID is called a second identifier, and the second identifier is used to identify the message flow between the card reader device and the HCE application.

In the embodiment of the present invention, the first identifier is used to uniquely identify the HCE application in the terminal, and the second identifier is used to identify the message flow between the card reader device and the HCE application.

S103: The terminal registers the routing information of the HCE application into the TEE.

In this embodiment of the present invention, the routing information of the HCE application registered by the terminal in the TEE includes the first identifier, the at least one second identifier, and the terminal environment in which the HCE application is installed.

In this embodiment of the present invention, when installing a TA in a TEE and installing a CA in a REE, both the first identifier and at least one second identifier included in the HCE application need to be resolved, and the first identifier obtained by parsing and the at least one second identifier A second identifier, and the terminal environment installed by the HCE application are registered in the TEE.

In the embodiment of the present invention, registering the first identifier, the second identifier, and the terminal environment where the HCE application is installed into the TEE is a necessary step for completing the installation and deployment of the HCE. Of course, the installation and deployment process also includes other necessary steps. The embodiments of the present invention are not limited herein.

It should be noted that the registration involved in the embodiment of the present invention refers to sending the first identifier of the HCE application, at least one second identifier related to the HCE application, and the terminal environment where the HCE application is located to the routing management module in the TEE , after the routing management module performs conflict detection and conflict resolution processing on the received information, that is, the second identification related to the HCE application (there may be multiple HCE applications processing the same second identification, the routing management module needs to carry out special processing, such as Designate one of multiple HCE applications to process a certain second identifier), generate multiple routing items according to the corresponding relationship between the first identifier, the second identifier, and the terminal environment where the HCE application is installed, and save them to the TEE routing management module In the routing table, when the external data is subsequently received, the routing is performed according to the routing table, wherein the routing information in the embodiment of the present invention includes a first identifier, at least one second identifier, and the terminal environment in which the HCE application is installed. Since one HCE application corresponds to One or more second identifiers, each of which can generate a routing item, so the routing information of an HCE application includes at least one routing item.

In the embodiment of the present invention, through two different application type labels in the resource file, the terminal can distinguish whether the installation environment of the HCE application is TEE or REE, and then when the terminal receives the HCE application installation package, it can pass the application type in the resource file Label, determine the terminal environment in which the HCE application is installed, distinguish the HCE application as TA or CA, and then install the TA into the TEE, and install the CA into the REE, realizing HCE applications with two different security levels based on TEE and REE.

Further, in this embodiment of the present invention, after the routing information of the HCE applications installed in the terminals TEE and REE are registered to the TEE, the following steps may be further included:

S104: The terminal sends the acquired external data to the routing management module in the TEE.

S105: The route management module sends the external data to the HCE application corresponding to the external data.

Reference may be made to FIG. 4 for an implementation flowchart including steps S104 and S105 in this embodiment of the present invention.

In the embodiment of the present invention, the routing management module that sends the acquired external data to the TEE may adopt the data routing method shown in FIG. 5 , as shown in FIG. 5 , including:

S1041: The terminal acquires external data through the NFCC in the TEE or the NFCC in the REE.

When the terminal is in the card simulation working mode, the terminal communicates with a contactless card reading device, such as a contactless POS machine or a contactless card reader, through an NFC interface, such as an NFC antenna. The terminal uses the NFCC chip and NFCC driver to obtain external data from the NFC antenna.

Optionally, in the embodiment of the present invention, a trusted NFCC driver may be loaded in the TEE of the terminal, and a trusted operating system (Trusted OS) in the TEE environment obtains the access control authority of the NFC interface, and then obtains external data.

S1042: The NFCC in the TEE or the NFCC in the REE sends the external data whose routing target is the device host to the TEE.

In the embodiment of the present invention, the terminal uses an NFCC chip and an NFCC driver to obtain external data sent by an external device such as a contactless card reader or a contactless POS machine from the NFC antenna, and then sends the obtained data to the NFCC routing module for processing. The NFCC routing module is a software entity (for example, the routing module can be implemented as chip firmware), the NFCC routing module obtains the second identifier in the external data, and according to the routing table stored in the NFCC, the data that needs to be sent to the TEE Forwarded to the TEE, the data that needs to be sent to the TEE in the embodiment of the present invention includes the data whose routing target is the device host. The device host generally refers to the central processing unit CPU of the terminal, also called the host central processing unit (Host Central Processing Unit). CentralProcessing Unit, Host CPU).

NFC has three working modes: card simulation, P2P and card reader. To support the above three working modes, the NFCC chip will work in polling mode (Poll mode, corresponding to P2P and card reader) and listening (listen) mode. The simulation belongs to the listening mode. Therefore, it can be determined whether routing needs to be performed by determining whether the current working mode of the NFCC chip is card simulation. Further, it can be determined by the SELECT AID command in the acquired external data and the routing table configured in the NFCC. Whether the acquired external data needs to be sent to the TEE.

In the embodiment of the present invention, the first routing is performed by the NFCC in the TEE, so that the external data whose routing target is the device host CPU is sent to the routing management module in the TEE, as shown in FIG. 1B . The first routing is performed through the NFCC in the REE, so that the external data whose routing target is the device host is sent to the routing management module in the TEE, as shown in FIG. 1A .

The first routing refers to the process of sending the acquired data to the routing management module in the TEE.

In this embodiment of the present invention, in order to send the external data to the HCE application corresponding to the external data in the TEE, routing information may be stored in advance, that is, the first identifier of the HCE application and at least one second identifier and its corresponding In this embodiment of the present invention, the first identifier and at least one second identifier of the HCE application may be registered to the routing management module in the TEE, and then the routing management module in the TEE routes the data to the stored routing information based on the stored routing information. HCE application in the corresponding environment. In this way, different types of HCE applications can be processed in different terminal environments, and the security based on different HCE applications is improved.

For the process of pre-registering routing information in this embodiment of the present invention, reference may be made to FIG. 6 . An HCE application in a REE can specify the second identifier list corresponding to the HCE application through the static resource file, or use the dynamic registration application programming interface (Application Programming Interface, API) to specify the second identifier corresponding to the HCE application List; whether static or dynamic methods are used, the mapping relationship between the first identifier and the second identifier needs to be sent to the routing management module in the TEE through the TEE client application programming interface (TEEClient API) or shared memory. The HCE application in the TEE can also use the above static or dynamic method to declare the second identifier corresponding to the HCE application. The difference is that in this case, there is no need to use the TEE Client API or shared memory, but the communication mechanism between TAs is used. Session, sending the mapping relationship between the first identifier and the second identifier to the routing management module in the TEE, and the routing management module will parse the first identifier to obtain the terminal environment in which the HCE application is installed, and then, the first identifier of the HCE application is installed. The identifier, at least one second identifier corresponding to the first identifier, and the terminal environment in which the HCE application is installed are stored in the routing management module as at least one routing item. In Figure 6, for REE, after the user downloads the CA installation package, the terminal parses the application installation configuration file, parses the <host-apdu-service/> tag, learns that the HCE application is a CA, further parses the resource file, reads For the second identifier in the resource file, the read first identifier and at least one second identifier are sent to the routing management module in the TEE.

Further, in the embodiment of the present invention, for the HCE application (which is a CA) in the REE, the dynamic second identification loading API can be called through the CA runtime to send the mapping relationship between the first identification and the second identification to the TEE. Route management module. In this embodiment of the present invention, when a CA application is updated or a component is updated, such as a software application version upgrade, or when a new card application is added to the HCE application, that is, when an AID is added, the updated information also needs to be sent to the TEE to Implement accurate routing. In Figure 6, for the TEE, after the user downloads the HCE application (which is a TA) installation package, the terminal parses the first and second identifiers of the TA application, or calls the API for dynamically loading the second identifier when the TA is running, and sends the first and second identifiers of the TA application. The mapping relationship between the identifier and the second identifier is given to the routing management module of the TEE. The routing management module in the TEE receives and manages the first identifier and the second identifier, and saves or updates the routing information of the HCE application in the TEE.

In the embodiment of the present invention, after the routing information of the HCE application is pre-stored, it can wait to receive data. After receiving the data, the NFCC performs the first routing, and routes the data to the routing management module in the TEE, and the routing management module The second routing is performed according to the pre-stored routing information, and the data is forwarded to the CA or TA, as shown in Figure 7.

The second routing refers to the process that the routing management module receives the data and forwards the data to the CA or TA.

In the embodiment of the present invention, a routing table is set in the routing management module of the TEE according to the stored routing information, and the routing table includes: the first identification, the second identification of the TA and the CA, and the installed terminal environment, and the routing management module is based on the routing information. The table routes the data to the corresponding HCE application.

FIG. 8 is a routing table set up in an embodiment of the present invention. As shown in FIG. 8 , for each second identifier and its corresponding first identifier, routing items are respectively set, for example, the second identifier 1 of CA corresponds to the first identifier 1 Route 1, the second identifier 2 and the first identifier 2 of the TA correspond to route 2.

It should be noted that, in the embodiment of the present invention, the method shown in FIG. 6 is used to complete the registration of CA and TA and their corresponding first and second identifiers to the TEE, and complete the preparation of routing information, but in the specific implementation During the process, due to the introduction of TA, the following changes need to be made to the current HCE mechanism:

Modification of the configuration file: an application type tag identifying the HCE application in the TEE needs to be added, that is, the first identification tag, such as <TEE_apdu_service/>, to indicate the existence of an HCE application running on the TEE in the configuration file.

Modification of resource files: It is necessary to associate an application type tag that identifies the HCE application in the TEE, that is, the first tag, such as the <TEE-apdu-service/> tag, and associate several second identification tags, such as the <AID-filter> tag, In order to notify the service framework, the TA can handle the message flow between the reader and the HCE application.

In the embodiment of the present invention, the CA is installed in the REE, the TA is installed in the TEE, and after the HCE application is installed in the corresponding environment, when the terminal interacts with the contactless card reading device, the HCE in the corresponding environment performs data processing processing.

In this embodiment of the present invention, the terminal sends the external data to the HCE application corresponding to the external data in the TEE, or the routing management module in the TEE performs the second routing, and the method shown in FIG. 9 may be adopted:

S1051: The routing management module in the TEE acquires a second identifier in the external data, where the second identifier is used to identify a message flow between the card reader device and an HCE application on the terminal. The routing management module only executes the operation of acquiring the second identifier when it receives the SELECT AID command; when receiving other APDU commands, if it has not received SELECT AID before, it is considered an error; if it has received the SELECT AID command before, then Forward the command to the HCE application corresponding to the SELECT AID command.

S1052: The routing management module in the TEE determines, according to the routing information of the HCE application registered in the TEE, an external data first identifier corresponding to the second identifier in the external data, and a first external data identifier corresponding to the external data The terminal environment in which the HCE application is installed. After the routing management module obtains the second identifier from the external data, it sequentially compares the obtained second identifier with the AIDs in the routing table of the TEE routing management module until the same AID is found. The first identifier is used as the first identifier of external data, and the terminal environment in which the HCE application corresponding to the AID is installed is found.

S1053: The routing management module in the TEE sends the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment.

In the embodiment of the present invention, by acquiring the second identifier in the external data, the first identifier of the external data corresponding to the second identifier and the terminal environment in which the HCE application is installed can be determined according to the routing information. After the terminal environment in which the HCE application is installed is determined, the acquired data can be routed to the HCE application in the corresponding environment to complete the data routing of the HCE application supporting different security levels.

It should be noted that the routing information in this embodiment of the present invention may also include only the first identifier and the second identifier, and by acquiring the second identifier in the external data, the first identifier of the external data corresponding to the second identifier is determined, Through the analysis of the first identifier of the external data, it can be determined whether the HCE application is a TA or a CA, and then the installation environment of the HCE application can be known. If it is TA, the installation environment is TEE, and if it is CA, the installation environment is REE .

In this embodiment of the present invention, according to the determined terminal environment in which the HCE application is installed, the data is sent to the HCE application corresponding to the first identifier of the external data, and the specific method may be as follows:

A: If it is determined that the terminal environment in which the HCE application is installed is the TEE, the data is sent to the HCE application corresponding to the first identifier of the external data in the TEE through the established session.

The routing management module of the TEE finds the corresponding first identification of the external data and the terminal environment in which the HCE application is installed in the routing table according to the second identification in the external data, then the routing management module, namely the Route- The TA uses the internal client API (InternalClient API) defined by the TEE Internal Core API (TEE Internal Core API) standard to create a session (session) to the target TA, and forwards the data to the TA, as shown in Figure 10. When the TA is installed, the first identifier of the TA, at least one second identifier and the installed terminal environment have been registered to the Route-TA (that is, the route management module) in the TEE, so the Route-TA can actively External data is sent to the TA, so if the received data frame does not contain a command to select the second identification after the session is established, the external data can be forwarded to the corresponding TA through the currently established session.

B: If it is determined that the terminal environment in which the HCE application is installed is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

Specifically, when the CA starts, it uses the service program (REE NFC Service), which is referred to as the first identifier UUID of the RNS-TA here, to create a session from CA to TA, and this session is in the pending state; while the RNS-TA receives After receiving the data from Route-TA, the route management module has marked which CA the data should be processed by, so RNS-TA can return the data to the CA through the established Session. Therefore, in the embodiment of the present invention, the routing management module of the TEE finds the first identification of the corresponding external data and the terminal environment in which the HCE application is installed according to the second identification in the external data. Route-TA, forwards the data to the service program in the TEE, and then forwards the external data to the corresponding CA, as shown in Figure 11A. In this embodiment of the present invention, if it is determined that the installation environment of the HCE application is REE, the routing management module may directly send the external data to the CA through the shared memory, as shown in FIG. 11B .

In the embodiment of the present invention, when the external data is received again, and the external data contains the second identification selection command (ie, the SELECTAID command), the NFCC forwards the data frame to the TEE, and the routing management module of the TEE executes the routing within the TEE, and the routing management The module judges whether the second identifier of the external data is processed by the HCE application that has currently established a session, which is recorded as HCE application 1 processing. If it is processed by HCE application 1, the routing management module directly uses the current Session to send the external data to. HCE application 1; if it is processed by other HCE applications different from the current HCE application, it is recorded as HCE application 2, then the routing management module can choose to keep the current session or close the current session, but it must be based on the first identification of HCE application 2 A second session is established, and the second identifier selection command and subsequent external data are sent to the HCE application 2 through the second session.

In the embodiments of the present invention, the data routing process involved above will be described in detail below in combination with practical applications.

The embodiment of the present invention is described by taking the communication between the non-contact POS machine and the terminal as an example. The terminal that supports TEE is used as a card simulation device. When the contactless POS machine sends transaction data to the terminal through the NFC channel of the near-field payment environment, the terminal obtains the transaction data through NFCC, and passes the NFCC in REE or NFCC in TEE, The transaction data is sent to the routing management module of the TEE, and the routing management module of the TEE searches for the first identification corresponding to the second identification according to the AID in the transaction data, that is, the second identification, and the terminal knows the transaction according to the first identification. Which TA or CA should process the data, then establish a session, and send the transaction data to the TA or CA corresponding to the AID through the established session.

It should be noted that, in this embodiment of the present invention, the CA is installed in the REE, the TA is installed in the TEE, and after the HCE application is installed in the corresponding environment, the terminal interacts with the card reader, and the HCE application in the corresponding environment interacts with the card reader. When performing data processing, the processing flow of the data routing involved in the above embodiments may be used, that is, the embodiments of the present invention may also provide a data routing method. For the specific implementation process, please refer to the descriptions of the above embodiments. This will not be repeated here.

In the host card simulation method provided by the embodiment of the present invention, through two different application type labels in the resource file, the terminal can distinguish whether the terminal environment in which the HCE application is installed is TEE or REE, and then when the terminal receives the HCE application installation package, it can pass The application type label in the resource file determines the terminal environment in which the HCE application is installed, distinguishes the HCE application as TA or CA, and then installs the TA into the TEE and the CA into the REE to support two different security levels of TEE and REE. The HCE application, so that developers can choose to implement the HCE function in the TEE, or choose to implement the HCE function in the REE, to meet the needs of different application functions.

Based on the method for implementing host card emulation provided by the above embodiments, the embodiment of the present invention further provides a terminal 100 for implementing host card emulation HCE, the terminal 100 implementing host card emulation HCE includes an installation unit 101, a parsing unit 102 and a registration unit Unit 103, as shown in FIG. 12A, in this embodiment of the present invention:

The installation unit 101 is configured to install the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application.

In this embodiment of the present invention, the terminal environment includes a trusted execution environment TEE and a rich execution environment REE.

The parsing unit 102 is configured to parse the first identifier of the HCE application installed by the installation unit 101 and at least one second identifier included in the HCE application.

In the embodiment of the present invention, the first identifier is used to uniquely identify the HCE application in the terminal, and the second identifier is used to identify the message flow between the card reader device and the HCE application.

A registration unit 103, configured to register the routing information of the HCE application into the TEE, wherein the routing information includes the first identifier, the at least one second identifier and the at least one second identifier parsed by the parsing unit 102 The terminal environment in which the HCE application is installed.

The terminal 100 that implements the host card simulation provided by the embodiment of the present invention distinguishes HCE applications as TA or CA through different application type labels, and then installs TA into TEE and CA into REE, so as to realize TEE-based and CA-based REE HCE applications with two different security levels.

In the first implementation manner, the terminal 100 for implementing the host card simulation provided by the embodiment of the present invention further includes a first routing unit 104 and a second routing unit 105, wherein,

The first routing unit 104 is configured to send the acquired external data to the second routing unit in the TEE;

The second routing unit 105 is configured to send the external data to the HCE application installed by the installation unit 101 corresponding to the external data.

Specifically, the first routing unit 104 is specifically configured to send the acquired external data to the second routing unit 105 in the TEE in the following manner:

Obtain external data through the near field communication controller NFCC in the TEE or the NFCC in the REE; the external data whose routing target is the device host is sent by the NFCC in the TEE or the NFCC in the REE to the No. 1 in the TEE Two routing units 105 .

Further, the second routing unit 105 is specifically configured to send the external data to the HCE application corresponding to the external data in the following manner:

obtaining the second identifier in the external data;

According to the information registered in the TEE, determine the first identification of external data corresponding to the second identification in the external data, and the terminal environment in which the HCE application corresponding to the first identification of external data is installed;

According to the determined terminal environment, the external data is sent to the HCE application corresponding to the first identifier of the external data.

Specifically, the second routing unit 105 is specifically configured to send the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment in the following manner:

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

The terminal 100 for implementing host card emulation provided by the embodiments of the present invention is used to implement the functions of the methods for implementing host card emulation involved in the above-mentioned embodiments of the present invention. The example will not be repeated here.

In the host card simulation terminal 100 provided by the embodiment of the present invention, through two different application type labels, the terminal can distinguish whether the installation environment of the HCE application is TEE or REE. Determine the terminal environment in which the HCE application is installed, distinguish the HCE application as TA or CA, and then install the TA into the TEE and the CA into the REE to implement HCE applications that support two different security levels of TEE and REE, so that developers can You can choose to implement the HCE function in the TEE or choose to implement the HCE function in the REE as required to meet the needs of different application functions.

Based on the method for implementing host card emulation provided by the above embodiments, an embodiment of the present invention further provides a terminal 200 implementing host card emulation. As shown in FIG. 13 , the terminal 200 implementing host card emulation includes a processor 201 . The terminal 200 that implements the host card emulation includes two operating environments, REE and TEE, and the two operating environments have their own processors, that is, the processor 201 of the terminal 200 that implements the host card emulation includes a common processing core 2011 and a trusted processing core. 2012, wherein the public processing core 2011 is a processor of REE, and the trusted processing core 2012 is a processor of TEE. It should be noted that, in the present invention, the common processing core 2011 and the trusted processing core 2012 may be different cores of the same physical CPU, or may be different CPU times of the same physical CPU.

Further, the terminal 200 for implementing the host card simulation provided in the embodiment of the present invention further includes a memory, and the memory includes a public random-access memory (Random-Access Memory, RAM) 2021 running in the REE and a public read-only memory ( read-only Memory, ROM) 2041, and trusted RAM 2022 and trusted ROM 2042 running in the TEE.

In this embodiment of the present invention, the public RAM 2021, the public ROM 2041, the trusted RAM 2022, and the trusted ROM 2042 may be used to store instructions and data. The storage instruction area may store an operating system, an instruction required for at least one function, and the like; the instruction may enable the processor 201 to execute the method for implementing the host card emulation involved in the foregoing embodiments of the present invention.

In the embodiment of the present invention, the terminal 200 in which the terminal implements the host card simulation further includes peripheral devices, and the peripheral devices include a public peripheral device 2031 in the REE and a trusted peripheral device 2032 in the TEE. When the NFCC is located in the REE, the NFCC is a public peripheral; when the NFCC is located in the TEE, the NFCC is a trusted peripheral;

Further, in the embodiment of the present invention, the terminal 200 in which the terminal implements the host card simulation further includes a communication unit 2051 located in the REE.

In the embodiment of the present invention, the processor 201 is the control center of the terminal 200 that implements the host card simulation, uses various interfaces and lines to connect various parts of the entire mobile phone, and stores the data in the public RAM 2021 , the public ROM 2041 , the trusted RAM 2022 , and the available memory by running or executing the operation or execution. The instructions in the trusted ROM 2042 and the data stored in the public RAM 2021, the public ROM 2041, the trusted RAM 2022 and the trusted ROM 2042 are called, and the terminal 200 that implements the host card simulation is executed through the trusted peripherals 2032, the public peripherals 2031 and the communication unit 2051. various functions and processing data, so as to perform overall control of the terminal 200 that implements host card emulation. Optionally, the processor 201 may include one or more processing units; preferably, the processor 201 may integrate an application processor and a modulation and demodulation processor, wherein the application processor mainly processes the operating system, user interface, and application programs, etc. , the modem processor mainly deals with wireless communication. It can be understood that, the above-mentioned modulation and demodulation processor may not be integrated into the processor 201. In some embodiments, the processor and memory may be implemented on a single chip, and in some embodiments, they may be implemented separately on separate chips.

The processor 201 included in the terminal 200 implementing the host card emulation provided by the embodiment of the present invention is configured to call the instructions and data stored in the public RAM 2021, the public ROM 2041, the trusted RAM 2022, and the trusted ROM 2042, through the trusted ROM 2042. The peripheral device 2032, the public peripheral device 2031 and the communication unit 2051 realize the following functions:

Install the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application, wherein the terminal environment includes TEE and REE; parse the first identifier of the HCE application and the HCE At least one second identifier included in the application, the first identifier is used to uniquely identify the HCE application in the terminal, and the second identifier is used to identify the message flow between the card reader device and the HCE application and is used to register the routing information of the HCE application in the TEE, wherein the routing information includes the first identifier, the at least one second identifier, and the terminal environment where the HCE application is installed.

Further, the processor 201 is further configured to:

The acquired external data is sent to the routing management module in the TEE, and the routing management module is controlled to send the external data to the HCE application corresponding to the external data.

Specifically, the processor 201 is specifically configured to send the acquired external data to the routing management module in the TEE in the following manner:

Obtain external data through NFCC in TEE or NFCC in REE;

The external data whose routing target is a device host is sent by the NFCC in the TEE or the NFCC in the REE to a routing management module in the TEE.

The processor 201 is specifically configured to control the routing management module to send the external data to the HCE application corresponding to the external data in the following manner:

Control the routing management module to obtain the second identifier in the external data through the communication unit and the peripheral device, and determine the second identifier in the external data according to the routing information registered in the TEE The corresponding external data first identification and the terminal environment in which the HCE application corresponding to the external data first identification is installed, and control the routing management module to send the external data to the terminal environment according to the determined terminal environment. The HCE application corresponding to the first identifier of the external data.

Specifically, the processor 201 is specifically configured to control the routing management module to send the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment as follows:

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

The terminal 200 for implementing the host card emulation provided by the embodiment of the present invention has the function of implementing any method for implementing the host card emulation involved in the above-mentioned embodiments of the present invention. The example will not be repeated here.

In the host card simulation terminal 200 provided by the embodiment of the present invention, through two different application type labels, the terminal can distinguish whether the installation environment of the HCE application is TEE or REE. Determine the terminal environment in which the HCE application is installed, distinguish the HCE application as TA or CA, and then install the TA into the TEE and the CA into the REE to implement HCE applications that support two different security levels of TEE and REE, so that developers can You can choose to implement the HCE function in the TEE or choose to implement the HCE function in the REE as required to meet the needs of different application functions.

Based on the data routing process in the host card emulation method provided by the above embodiments, an embodiment of the present invention further provides a data routing device 300. As shown in FIG. 14 , the data routing device 300 includes an acquisition unit 301 and a first routing unit 302 and the second routing unit 303, wherein,

The acquiring unit 301 is used for acquiring external data.

a first routing unit 302, configured to send the external data obtained by the obtaining unit 301 to the TEE;

The second routing unit 303 is configured to send the external data to the HCE application corresponding to the external data.

In a first implementation manner, the first routing unit 302 is specifically configured to send the acquired external data to the TEE in the following manner:

The data is obtained through the NFCC driver in the TEE or the NFCC driver in the REE, and the external data whose routing target is the device host is sent to the second routing unit 303 in the TEE.

In the second implementation manner, the second routing unit 303 is specifically configured to send the external data to the HCE application corresponding to the external data in the following manner:

Acquiring a second identifier in the external data, where the second identifier is used to identify a message flow between the card reader device and the HCE application;

Determine, according to the routing information of the HCE application registered in the TEE, the first identifier of external data corresponding to the second identifier in the external data, and the terminal environment in which the HCE application corresponding to the first identifier of external data is installed , the first identifier is used to uniquely identify an HCE application in the terminal;

According to the determined terminal environment, the external data is sent to the HCE application corresponding to the first identifier of the external data.

In a third implementation manner, the second routing unit 303 is specifically configured to send the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment in the following manner :

If the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

If the determined terminal environment is REE, the external data is sent to the HCE application corresponding to the first identifier of the external data in the REE through the service program in the TEE or the shared memory.

The data routing device 300 provided by the embodiment of the present invention is used to implement the data routing process in the method for implementing the host card simulation involved in the above-mentioned embodiments of the present invention. It is not repeated here.

The data routing device 300 provided in the embodiment of the present invention can determine the first identifier of the external data corresponding to the second identifier by acquiring the second identifier in the external data, and can determine that the HCE application is a TA by using the first identifier of the external data It is still a CA, and then the installation environment of the HCE application can be known. If it is a TA, the installation environment is TEE, and if it is a CA, the installation environment is REE. After the installation environment of the HCE application is determined, the acquired data can be routed to the HCE application in the corresponding environment to complete the data routing of the HCE application supporting different security levels.

Those of ordinary skill in the art can understand that all or part of the steps in the method of implementing the above embodiments can be completed by instructing the processor through a program, and the program can be stored in a computer-readable storage medium, and the storage medium is non-transitory ( English: non-transitory) media, such as random access memory, read only memory, flash memory, hard disk, solid state disk, magnetic tape (English: magnetic tape), floppy disk (English: floppy disk), optical disc (English: optical disc) and any combination thereof.

The present invention is described with reference to the respective flowcharts and block diagrams of the methods and apparatuses of the embodiments of the present invention. It will be understood that each process and block in the flowchart and block diagrams, and combinations of processes and blocks in the flowchart and block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in one or more of the flowcharts and one or more blocks of the block diagrams.

The above description is only a preferred embodiment of the present invention, but the protection scope of the present invention is not limited to this. Substitutions should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (21)

1. A method for realizing host card simulation HCE is characterized by comprising the following steps:

the terminal installs the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application, wherein the terminal environment comprises a Trusted Execution Environment (TEE) and a Rich Execution Environment (REE);

the terminal analyzes a first identifier of the HCE application and at least one second identifier contained in the HCE application, wherein the first identifier is used for uniquely identifying the HCE application in the terminal, and the second identifier is used for identifying a message flow between a card reading device and the HCE application;

and the terminal registers the routing information of the HCE application into the TEE, wherein the routing information comprises the first identifier, the at least one second identifier and the terminal environment installed by the HCE application.

2. The method of claim 1, further comprising:

the terminal sends the acquired external data to a routing management module in the TEE;

and the routing management module sends the external data to the HCE application corresponding to the external data.

3. The method according to claim 2, wherein the terminal sends the acquired external data to a routing management module in the TEE, specifically comprising:

the terminal acquires external data through a Near Field Communication Controller (NFCC) in a TEE or a Near Field Communication Controller (NFCC) in a REE;

sending, by the NFCC in the NFCC or the NFCC in the REE, the external data whose routing target is a device host to a routing management module in the TEE.

4. The method according to claim 2 or 3, wherein the sending, by the route management module, the external data to the HCE application corresponding to the external data specifically includes:

the routing management module acquires a second identifier in the external data;

the routing management module determines an external data first identifier corresponding to a second identifier in the external data and a terminal environment of HCE application installation corresponding to the external data first identifier according to the routing information registered in the TEE;

and the routing management module sends the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment.

5. The method according to claim 4, wherein the routing management module sends the external data to the HCE application corresponding to the external data first identifier according to the determined terminal environment, and the method comprises:

if the determined terminal environment is a TEE, sending the external data to an HCE application corresponding to the first identifier of the external data in the TEE through the established session;

and if the determined terminal environment is the REE, sending the external data to the HCE application corresponding to the first identifier of the external data in the REE through a service program or a shared memory in the TEE.

6. A data routing method, comprising:

the terminal sends the acquired external data to a routing management module in the TEE;

the routing management module sends the external data to the HCE application corresponding to the external data;

the routing management module sends the external data to the HCE application corresponding to the external data, and the routing management module comprises:

the routing management module acquires a second identifier in the external data, wherein the second identifier is used for identifying a message flow between the card reading device and an HCE application;

determining an external data first identifier corresponding to a second identifier in the external data and a terminal environment installed by the HCE application corresponding to the external data first identifier according to routing information of the HCE application registered in the TEE, wherein the first identifier is used for uniquely identifying one HCE application in the terminal, and the terminal environment comprises a trusted execution environment TEE and a rich execution environment REE;

and sending the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment.

7. The method according to claim 6, wherein the terminal sends the acquired external data to a route management module in the TEE, specifically comprising:

the terminal acquires the external data through an NFCC driver in the TEE or an NFCC driver in the REE, and sends the external data of which the routing target is the device host to the routing management module in the TEE.

8. The method according to claim 6 or 7, wherein the sending the external data to the HCE application corresponding to the external data first identifier according to the determined terminal environment comprises:

if the determined terminal environment is a TEE, sending the external data to the HCE application corresponding to the first identifier of the external data in the TEE through the established session;

and if the determined terminal environment is the REE, sending the external data to the HCE application corresponding to the first identifier of the external data in the REE through a service program or a shared memory in the TEE.

9. A terminal for realizing host card simulation HCE is characterized by comprising:

the installation unit is used for installing the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application, wherein the terminal environment comprises a trusted execution environment TEE and a rich execution environment REE;

the analysis unit is used for analyzing a first identifier of the HCE application installed by the installation unit and at least one second identifier contained in the HCE application, wherein the first identifier is used for uniquely identifying the HCE application in the terminal, and the second identifier is used for identifying a message flow between a card reading device and the HCE application;

a registering unit, configured to register route information of the HCE application in a TEE, where the route information includes the first identifier, the at least one second identifier, and the terminal environment installed in the HCE application, which are analyzed by the analyzing unit.

10. The terminal of claim 9, further comprising a first routing unit and a second routing unit, wherein,

the first routing unit is used for sending the acquired external data to a second routing unit in the TEE;

the second routing unit is configured to send the external data to the HCE application installed by the installation unit corresponding to the external data.

11. The terminal according to claim 10, wherein the first routing unit is specifically configured to send the obtained external data to the second routing unit in the TEE as follows:

acquiring external data through a Near Field Communication Controller (NFCC) in a TEE or a NFCC in a REE;

sending, by the NFCC in the NFCC or the REE in the TEE, the external data whose routing target is a device host to a second routing unit in the TEE.

12. The terminal according to claim 10 or 11, wherein the second routing unit is specifically configured to send the external data to the HCE application corresponding to the external data as follows:

acquiring a second identifier in the external data;

determining a first external data identifier corresponding to a second external data identifier and a terminal environment of HCE application installation corresponding to the first external data identifier according to the routing information registered in the TEE;

and sending the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment.

13. The terminal according to claim 12, wherein the second routing unit is specifically configured to send the external data to an HCE application corresponding to the first identifier of the external data according to the determined terminal environment as follows:

if the determined terminal environment is a TEE, sending the external data to an HCE application corresponding to the first identifier of the external data in the TEE through the established session;

and if the determined terminal environment is the REE, sending the external data to the HCE application corresponding to the first identifier of the external data in the REE through a service program or a shared memory in the TEE.

14. A data routing device, comprising:

an acquisition unit configured to acquire external data;

the first routing unit is used for sending the external data acquired by the acquisition unit to a second routing unit in the TEE;

the second routing unit is used for sending the external data to the HCE application corresponding to the external data;

the second routing unit is specifically configured to send the external data to the HCE application corresponding to the external data as follows:

acquiring a second identifier in the external data, wherein the second identifier is used for identifying a message flow between the card reading device and an HCE application;

determining an external data first identifier corresponding to a second identifier in the external data and a terminal environment installed by the HCE application corresponding to the external data first identifier according to routing information of the HCE application registered in the TEE, wherein the first identifier is used for uniquely identifying one HCE application in the terminal, and the terminal environment comprises a trusted execution environment TEE and a rich execution environment REE;

and sending the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment.

15. The apparatus according to claim 14, wherein the first routing unit is specifically configured to send the obtained external data to the second routing unit in the TEE as follows:

and acquiring the external data through an NFCC driver in the TEE or an NFCC driver in the REE, and sending the external data of which the routing target is the equipment host to a second routing unit in the TEE.

16. The apparatus according to claim 15, wherein the second routing unit is specifically configured to send the external data to the HCE application corresponding to the first identifier according to the determined terminal environment as follows:

if the determined terminal environment is a TEE, sending the external data to an HCE application corresponding to the first identifier of the external data in the TEE through the established session;

and if the determined terminal environment is the REE, sending the external data to the HCE application corresponding to the first identifier of the external data in the REE through a service program or a shared memory in the TEE.

17. A terminal for realizing host card simulation HCE is characterized by comprising a memory, a peripheral, a communication unit and a processor, wherein:

the memory comprises a public random access memory RAM and a public read-only memory ROM which run in a rich execution environment REE, and a trusted RAM and a trusted ROM which run in a trusted execution environment TEE and are used for storing instructions and data;

the peripheral devices including a public peripheral device in the REE and a trusted peripheral device in the TEE;

the communication unit is positioned in the REE;

the processor is used for calling instructions and data stored in the public RAM, the public ROM, the trusted RAM and the trusted ROM, and the following functions are realized through the trusted peripheral, the public peripheral and the communication unit:

installing the HCE application into a terminal environment corresponding to the type of the HCE application according to the type of the HCE application, wherein the terminal environment comprises a TEE and a REE; analyzing a first identifier of the HCE application and at least one second identifier contained in the HCE application, wherein the first identifier is used for uniquely identifying the HCE application in the terminal, and the second identifier is used for identifying the message flow between a card reading device and the HCE application; and is configured to register routing information of the HCE application into a TEE, wherein the routing information includes the first identifier, the at least one second identifier, and the terminal environment in which the HCE application is installed.

18. The terminal of claim 17, wherein the processor is further configured to:

and sending the acquired external data to a routing management module in the TEE, and controlling the routing management module to send the external data to the HCE application corresponding to the external data.

19. The terminal of claim 18, wherein the processor is specifically configured to send the obtained external data to a routing management module in the TEE in the following manner:

acquiring external data through a Near Field Communication Controller (NFCC) in a TEE or a NFCC in a REE;

sending, by the NFCC in the NFCC or the NFCC in the REE, the external data whose routing target is a device host to a routing management module in the TEE.

20. The terminal according to claim 18 or 19, wherein the processor is specifically configured to control the route management module to send the external data to the HCE application corresponding to the external data as follows:

and controlling the route management module to acquire a second identifier in the external data through the communication unit and the peripheral equipment, determining a first identifier of the external data corresponding to the second identifier in the external data and a terminal environment installed with the HCE application corresponding to the first identifier of the external data according to the route information registered in the TEE, and controlling the route management module to send the external data to the HCE application corresponding to the first identifier of the external data according to the determined terminal environment.

21. The terminal of claim 20, wherein the processor is specifically configured to control the route management module to send the external data to the HCE application corresponding to the external data first identifier according to the determined terminal environment as follows:

if the determined terminal environment is a TEE, sending the external data to an HCE application corresponding to the first identifier of the external data in the TEE through the established session;

and if the determined terminal environment is the REE, sending the external data to the HCE application corresponding to the first identifier of the external data in the REE through a service program or a shared memory in the TEE.

Images